Updating the Universal Prompt: Collaboration, Simplification and Democratizing Security
Aaron McConnell, an Engineering Technical Lead at Duo, is driven by our mission to make security more accessible for everyone. The Duo Universal Prompt aims to do that by making multi-factor authentication as easy for users as it is effective. Every Duo team has been part of this innovative initiative meant to modernize technology and ensure more users can customize Duo to their needs. Aaron spoke about the technical side of this enterprise and how collaboration, proactive problem solving, and Duo’s culture contributed to this upgrade.
Question: What was the state of the Universal Prompt before the recent update? What problems did you want to solve or customer feedback did you want to address?
Aaron McConnell: These conversations began years ago. We had a number of problems that we wanted to solve, and some customer problems as well. The old style of prompt didn’t work for a lot of customers because it was in an iFrame. It’s a kind of technology where you embed pieces of a web application inside a different web application, and that’s an area rife with security problems. A lot of internet browsers are getting restrictive about what you can do with it.
Customers also found the prompt more burdensome than we wanted. They wanted to customize it in various ways, in terms of visuals or language, that it wasn’t well-suited to do.
At Duo, we also wanted to improve the security and use the most up-to-date protocols and procedures. There were also new mechanisms that were becoming popular, like Open ID Connect (OIDC). We wanted to support these modern and standardized processes in our application because we had our own custom homegrown protocol that didn’t interact with anything else well. There were also concerns about vulnerabilities if customers didn’t keep their secret keys as secure as we wanted them to.
For all those reasons, we wanted to do a technical refresh of the prompt and provide the latest and most interoperable security mechanisms. At the same time, our Duo Mobile team wanted to do a visual and software refresh to update the look and feel of the application, make it more usable for our customers, and solve some of these security problems.
Question: How did collaboration play into Universal Prompt?
Aaron McConnell: At one point, it involved basically every team at Duo working simultaneously on some aspect of it. Because we had our core team that owns the authentication piece of Duo, they were the front leaders on this.
Our mobile teams got pulled in because their mobile application was getting refreshed and had to look consistent across everything. So that involved our design teams working together on: how is this going to look on desktop? On mobile? How’s it going to look embedded in another thing?
We’re Duo, we’re Cisco. Our security teams were heavily involved and asked, “How are we going to make sure this new way to authenticate is secure?” Our Product teams needed to make sure this is solving customer problems, that they’re going to be able to use it, and that it has the features our customers want.
Our teams that work with our Device Health application got involved because this new prompt needs to be able to check the security hygiene of devices, just like our old prompt did. My team got involved because we own the software we publish on our GitHub page so that customers can embed the prompt in their application. So, we needed to make sure that it worked well with being able to publish these Web SDK clients to customers to actually use this because if nobody can use it, that doesn’t do us any good.
Also, our site reliability engineers, who keep the website up and running, had to be sure this wasn’t causing too much traffic in one area causing outages. Our Customer Success team communicated to customers, “Hey, this is coming down the pike. This is going to change, it’s going to look like this. When do you want to turn it on? How’s it going to look? How’s it going to affect your users?”
There were challenges keeping everything going, but we did a really great job.
Question: How did you overcome unexpected challenges?
Aaron McConnell: Big picture, we didn’t have a lot of setbacks because we had a lot of discussion and kept everybody in the loop and saw problems before they happened. Small picture, lots of day-to-day challenges, but that happens everywhere and to everyone and you get past it.
“That’s why we do what we do: to solve day-to-day problems. We knew where we wanted to go, we validated what we were going to do. We saw the problems before they happened at the high level and got ahead of them and solved them.”
Question: What discoveries did you find most surprising?
Aaron McConnell: I was surprised with how little people wanted to have to deal with, with the prompt. Our Product Design team kept coming back and saying, “No, it’s got to be simpler.” And I was like, “Really? There’s not much left.” It’s at the point now where it’s basically one big button to log in, though you can add more if you need to.
Another thing I found surprising was how many teams got involved. I would think of a team and be like, “Oh, they don’t really have anything to do with Universal Prompt.” But no, they did. For instance, our Data Science team got involved because we wanted to know how many people are using this new feature. And how many people are using this type of policy? What’s the breakdown of Mac users versus PC users? They helped us make decisions such as, if we know 90% of our users are using Push, we optimize the Prompt for the Push experience.
We had the market research and user validation going in ahead of time so that we didn’t get surprised. We got ahead by getting customers involved really early.
Question: What else did you learn that will stick with you?
Aaron McConnell: I got to know more about that OIDC protocol than I ever wanted to before. So, I’m pretty sure I can deal with that for the rest of my life. It was also interesting seeing how the project was organized not with a top-down approach of, “This is how you’re going to do the thing,” but working out who had to be the leaders in an area. Everyone needed to be kept in the loop about what was happening and when it was happening, but they didn’t necessarily need to be the ones who called the shots.
For instance, Customer Success needed to know when things were happening so they could communicate with customers. When it was time to roll it out to customers, they stepped to the forefront and took a bit more control about how the actual rollout would happen to make sure it went successfully. That was a really impressive thing that I can take forward, of who is going to lead and be the driver at various parts of this feature rollout and who needs to be kept in the loop so that they can take charge later.
Question: At Duo we’re driven by values: being kinder than necessary; learning together; engineering the business; and building for the future. How did these values impact your work?
Aaron McConnell: Building for the future was fairly obvious. One of the main drivers for this whole project was to update the prompt experience to be more modern and forward-facing and get rid of some of these older mechanisms that weren’t working for us anymore.
“The main driver always was, ‘This needs to serve our customers better in the future. How are we going to get there?’. Learning together, we were constantly sharing our knowledge and our thoughts about how this was going, keeping everybody in the loop.”
Early on, engineers tried experimental stuff. Some groups would get together and say, “I’m going to try this approach and see if it’s going to work.” They would figure out what was good about it, what wasn’t good about it, what was going to work, what wasn’t going to work, and share that with the rest of us to help make decisions about which approach to go with technologically.
Engineering the business. This involved every team at Duo. We had to figure out mechanisms to keep people in the loop. How are they going to know when they have things to get done? How are they going to get feedback on how that went? So, we introduced new mechanisms to keep everybody on the same page.
Kinder than necessary. That’s how we do everything at Duo. We wanted to be kinder than necessary to our users by giving them a prompt experience they could actually use. But it flavors every interaction we have at Duo. If somebody was having a problem or made a mistake, they never got scolded for it. They never got negative feedback for trying something new because that’s not what we do at Duo. When people were having a tough time getting something to work, they got a lot of support from their team. But that’s not unique to this project — that happens on everything at Duo.
Question: What do you find most exciting about Universal Prompt?
Aaron McConnell: I like that we made it usable for our customers to integrate into their applications. I enjoy getting the tools to the people who take the product and work on the code, architecture and design of their applications to add Duo. With Universal Prompt, we’ve put out clients for it in a variety of languages. I’ve been involved in every single one of them. I hand-wrote one of them.
I am absolutely super happy that we finally got out of the iFrame, because that was causing all kinds of headaches for our customers and us. It was really cool getting to a more modern technology stack and more modern authentication processes in order to make it easier for people to integrate with us.
Question: What’s next for Universal Prompt?
Aaron McConnell: We have a couple big pushes going on right now. We’re moving away from U2F — a lot of browsers are dropping support for it because WebAuthn is more flexible and better supports a variety of use cases.
We’re also integrating Universal Prompt with our new Passwordless product. We need to think behind the scenes: Is there anything the Prompt needs to do that it’s not currently doing to support that use case? Where’s the future of passwordless going? Are there new mechanisms that we need to make sure we can support?
Some work just went out to improve the customization features so our customers who want to integrate it with their applications can have it look more natural to their users. We’re always adding language support and new internationalization and localization features to support more and more countries that want to use Duo.
Accessibility is another priority. We have somebody who’s constantly evaluating the accessibility of the Prompt for people who are blind, low-vision, deaf or hard of hearing. As new standards in accessibility come out, we make sure the Prompt addresses them. And we’re evaluating what else we need to do so customers can actually consume this. Are there additional computer languages that we need to support? Are there additional computer frameworks or browsers that we need to make sure this works in?
Question: What else would you like to share about Universal Prompt?
Aaron McConnell: We can make the coolest Prompt on the planet with the most functionality and the simplest and the easiest to use — but if no one actually uses it, it doesn’t do anybody any good. If there are folks who want to use Duo but can’t for some reason, we want to hear from you so that we can make it work for you. If you need the Duo client in a new computer language, we need to hear about that.
If you run a company and your users can’t use Duo, or the Prompt doesn’t work for you, we need to know that you need more functionality on the Prompt. That’s the most important message I want to get across about the Universal Prompt right now.
Duo’s mission is democratizing security. If you can’t use Duo, we have not democratized security. If it’s not accessible to you, we failed in our mission, so we need to know about that so that we can make it happen.
Come Build With Us
Solving security challenges through our focus on simplicity and effectiveness is what inspires us every day. Want to make the world more secure? We’re seeking top talent.
